Documente Academic
Documente Profesional
Documente Cultură
Misplaced Trust
The primary issue with a perimeter-centric security strategy where countermeasures are deployed at a handful
of well-defined ingress/egress points to the network is that it relies on the assumption that everything on
the internal network can be trusted. However, this assumption is no longer a safe one to make, given modern
business conditions and computing environments where:
• Remote employees, mobile users, and cloud computing solutions blur the distinction between
“internal” and “external.”
• Wireless technologies, the proliferation of partner connections, and the need to support guest
users introduce countless additional pathways into the network.
• Branch offices may be located in untrusted “countries of interest.”
• Insiders, whether intentionally malicious or just careless, may present a very real security threat.
Such strategies also fail to account for:
• The potential for sophisticated cyberthreats to penetrate perimeter defenses—in which case
they would then have free rein over the internal network.
• Scenarios where malicious users are able to gain access to the internal network and sensitive
resources by using the stolen credentials of trusted users.
• The reality that internal networks are rarely homogeneous but instead include pockets of users
and resources with inherently different levels of trust/sensitivity, which should ideally be sepa-
rated in any event (e.g., R&D and financial systems vs. print/file servers).
The Zero Trust Model – Providing Effective Security for Modern Networks
A promising alternative model for IT security, Zero Trust is intended to remedy the deficiencies with perimeter-
centric strategies and the legacy devices and technologies used to implement them. It does this by promoting
“never trust, always verify” as its guiding principle. This differs substantially from conventional security models
which operate on the basis of “trust but verify.”
In particular, with Zero Trust there is no default trust for any entity—including users, devices, applications and
packets—regardless of what it is and its location on or relative to the corporate network. In addition, verifying that
authorized entities are always doing only what they’re allowed to do is no longer optional; it’s now mandatory.
The implications for these two changes are, respectively:
a. The need to establish trust boundaries that effectively compartmentalize different segments of the internal
computing environment. The general idea is to move security functionality closer to the different pockets
of resources that require protection. This way it can always be enforced regardless of the point of origin of
associated communications traffic.
b. The need for trust boundaries to do more than just initial authorization and access control enforcement.
To “always verify” also requires ongoing monitoring and inspection of associated communications traffic for
subversive activities (i.e., threats).
The core Zero Trust principle and derivative implications are further reflected and refined in the three concepts
that define the operational objectives of a Zero Trust implementation.2
Concept #1: Ensure that all resources are accessed securely regardless of location. This suggests not only
the need for multiple trust boundaries but also increased use of secure access for communication to/from
resources, even when sessions are confined to the “internal” network. It also means ensuring that only devices
with the right status and settings (e.g., ones that are managed by corporate IT, have an approved VPN client and
proper passcodes, and are not running malware) are allowed access to the network.
Concept #2: Adopt a least-privileged strategy and strictly enforce access control. The goal in this case is to
absolutely minimize allowed access to resources as a means to reduce the pathways available for malware and
attackers to gain unauthorized access—and subsequently to spread laterally and/or exfiltrate sensitive data.
Concept #3: Inspect and log all traffic. This reiterates the need to “always verify” while also making it clear
that adequate protection requires more than just strict enforcement of access control. Close and continuous
attention must also be paid to exactly what is happening in “allowed” applications, and the only way to do this is
to inspect the content for threats.
PCI
Application
V Zone
SeMrie-
s Web
Application
V
CAMPUS
ZONE
SeMrie-
Zone
s
Employee
Application
V
SeM
Zone
Zero Trust rie-
Segmentation s
Platform
WIRELESS
ZONE
MANAGEMENT
ZONE
B2B
ZONE
Zero Trust Segmentation Platform. Referred to as a network segmentation gateway by Forrester® Research,2
the Zero Trust segmentation platform is the component used to define internal trust boundaries. In other
words, it is what provides the majority of the security functionality needed to deliver on the Zero Trust
operational objectives—including the ability to enable secure network access, granularly control traffic flow
to/from resources, and continuously monitor allowed sessions for signs of threat activity. Although Figure 1
depicts the Zero Trust segmentation platform as a single component in a single physical location, in practice—
due to performance, scalability and physical limitations—an effective implementation is more likely to entail
multiple instances distributed throughout an organization’s network. In addition, the solution is designated as
a “platform” not only to reflect that it is an aggregation of multiple distinct (and potentially distributed) security
technologies, but also that they operate as a holistic threat protection framework to reduce the attack surface
and correlate information about threats that are found.
Trust Zones. Referred to as a “micro core and perimeter” (MCAP) by Forrester Research,2 a trust zone is a
distinct pocket of infrastructure where the member resources not only operate at the same trust level but also
share similar functionality. Sharing functionality, such as protocols and types of transactions, is imperative,
in fact, because this is what is needed to actually minimize the number of allowed pathways into and out
of a given zone and, in turn, minimize the potential for malicious insiders and other types of threats to gain
unauthorized access to sensitive resources.
Example trust zones shown in Figure 1 include the user (or campus) zone, a wireless zone for guest access, a
cardholder data zone, database and application zones for multi-tier services, and a zone for public-facing web
applications.
It is important to note, too, that a trust zone is not intended to be a “pocket of trust” where systems (and
therefore threats) within the zone are able to communicate freely/directly with each other. For a full Zero Trust
implementation, the network would be configured to ensure that ALL communications traffic—including that
between devices in the same zone—is intermediated by the corresponding Zero Trust segmentation platform.
High-Performance Design
By definition, a Zero Trust platform aggregates numerous security and networking capabilities. However, it
must also be capable of delivering all of these features without becoming a performance bottleneck. The
Palo Alto Networks solution achieves this objective first and foremost by utilizing a single-pass software
architecture.
Processing requirements and latency are minimized as, unlike with other solutions, there is no need for traffic
streams to be processed
multiple times (e.g., once for each security function). In addition, Palo Alto Networks hardware appliances
feature separate control and data planes, plus function-specific, parallel processing hardware engines (i.e.,
custom chips) for core packet processing, acceleration of standard security functions, and dedicated content
scanning. At the high end, the result is 200 Gbps of Zero Trust throughput, with unmatched visibility and
control of applications, users, and content.
Flexible, non-disruptive deployment. Ideally, it should be possible to implement a Zero Trust approach in
a way that requires no modification to the existing network and is completely transparent to one’s users.
Opportunities to take advantage of major network overhauls are rare, and disrupting operations is not a good
career choice. Thus, IT security managers will need to make do as best they can, typically by converting to
Zero Trust on the fly. The Palo Alto Networks Next-Generation Security Platform supports this requirement in
numerous ways. For example:
• Virtual wire mode enables transparent, Layer 1 insertion into the network and does not require any con-
figuration changes to surrounding or adjacent network devices. All next-generation security technologies
are supported in this mode.
• A single hardware appliance can support multiple different connection modes (Layer 1, Layer 2 or Layer 3),
thereby maximizing its ability to accommodate trust zones with different needs.
• Support for a broad range of networking technologies (e.g., L2/L3 switching, dynamic routing, 802.1Q
VLANS, trunked ports and traffic shaping) guarantees the ability to integrate into practically any environment.
• Multiple management domains (see Figure 1) can be accommodated by taking advantage of a virtual
systems capability that enables separate, isolated Zero Trust virtual instances on a physical appliance.
Virtual systems allow you to segment the administration of all policies (security, NAT, QoS, etc.) as well as
all reporting and visibility functions.
Centralized management. As discussed, the basis for this requirement is the need to be able to efficiently
administer multiple, distributed Zero Trust segmentation platforms. In this case, the core need is met by Palo
Alto Networks Panorama™ network security management, an optional centralized management offering.
However, that is only the beginning of the management capabilities that Palo Alto Networks makes available
to simplify the task of implementing and maintaining a Zero Trust security model. Other notable features
include:
• A unified policy model and interface that avoids having to flip between multiple screens and/or consoles
to view and configure access control and inspection rules.
• A hierarchical policy and administration model that accommodates a combination of both global and local
rules and configuration settings.
• Advanced, graphical visualization tools for better understanding what applications and users are doing on
your network at any given point in time.
• A comprehensive REST-based API that enables quick-and-easy integration with third-party management,
automation and orchestration tools—for example, to ensure protection for newly provisioned or relocated
virtualized applications.
• Integral reporting and logging, with real-time filtering for rapid forensic investigation into every session
traversing the network.
4401 Great America Parkway © 2016 Palo Alto Networks, Inc. Palo Alto Networks is a
Santa Clara, CA 95054 registered trademark of Palo Alto Networks. A list of our
Main: +1.408.753.4000 trademarks can be found at http://www.paloaltonetworks.
Sales: +1.866.320.4788 com/company/trademarks.html. All other marks mentioned
Support: +1.866.898.9087 herein may be trademarks of their respective companies.
zero-trust-approach-wp-081616
www.paloaltonetworks.com